Best Practice to do Client Forensic in Guest-WLAN

‎10-05-201707:14 AM

Hi all,

I am searching for best practice recommendations when doing forensic for guest clients which authenticated via selfregistration on the web based Aruba Guest Portal.

I would like to be able to track from given information (e.g accessed public IP address within a time range) to the guest account with which the client did authenticate at the guest portal. My guests can register themselve, using a mobile phone number.

As long as the client is still connected to the network, I can track back quite easy. I am able to find out the used guest account and also the APs to which it is / was connected just by using the Aruba Central UI.

But I was yet unable to find a way when the client has already disconnected from the network, e.g. I do the forensic several days later.

Due to the used setup, the guest WLAN is directly connected to a firewall which is also administrated by myself. My local APs are grouped together using an Virtual Controller. Therefore, using the firewall logs I am able to find out the internal IP address and the MAC address of the offending client. But where is the information stored to map from there to a selfregistered guest account?

I have already started to collect syslog messages from the APs, but there is no log entry when the client has sucessfully authenticated. I only see here MAC addresses, no IP addressen.

Even if I would periodically collect the output of "show clients" on the VC, I would not be able to see which guest account was used for authenticating at the Aruba web based guest portal.